This article provides information explaining the behavior of integrated NSX DFW environment and when the "Don't Fragment" or "More Fragments" flags are set in a packet.

Symptoms:
On an NSX environment where the Distributed Firewall and packet flags are set to "Don't Fragment" (DF), you experience this symptom:

Dropped packets are seen on the network.

VMware NSX for vSphere 6.3.x

This issue occurs when a Linux VM makes a request to a Linux BIND DNS, and the server response packet is larger than the allowed MTU (in this case 1500 bytes), the packet will be forced to fragment. However, the Linux BIND DNS server sets the DF (Don't Fragment) and the MF (More Fragments) flags within the UDP packet. Even though the MF (More Fragments) flag is set, the VMware DFW will drop both fragments because it interprets these packets as illegal.

In this scenario, windows DNS servers and clients do not experience this symptom because they use TCP for DNS requests and responses instead of UDP.

This is an expected behavior.

Having the "Don't Fragment (DF)" and the "More Fragments (MF)" flag marks the packet as illegal according to DFW interpretation.

Workaround:
To work around this issue, ensure the MTU is higher than fragmented packet for packets with DF bit set.

Note: There is no workaround on hosts configured with 1500 bytes MTU.

RFC: https://tools.ietf.org/html/rfc791

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.